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Abstract 

Flight control systems have undergone a 
revolution since the days of simple mechanical 
linkages; presently the most advanced systems 
are full-authority, full-time digital systems 
controlling unstable aircraft. With the use 
of advanced control systems, the aerodynamic 
design can incorporate features that allow 
greater performance and fuel savings, as can 
be seen on the new Airbus design and advanced 
tactical fighter concepts. These advanced 
aircraft will he and are relying on the flight 
control system to provide the stability and 
handling qualities required for safe flight and 
to allow the pilot to control the aircraft. 

Various design philosophies have been proposed 
and followed to investigate system architectures 
for these advanced flight control systems. One 
major area of discussion is whether a multichannel 
digital control system should be synchronous or 
asynchronous. This paper addresses the flight 
experience at the Dryden Flight Research Facility 
of NASA's Ames Research Center with both synchro- 
nous and asynchronous digital flight control 
systems. Four different flight control systems 
are evaluated against criteria such as software 
reliability, cost increases, and schedule delays. 

Nomenclature 

AFTI advanced fighter technology integration 

CAS control augmentation system 

CBS computer bypass system 

DFBW digital fly-by-wire 

DEFCS digital electronic flight control system 

HiMAT highly maneuverable aircraft technology 

I/O input-output 

IPCS integrated propulsion control system 

LVDT linear variable differential transducer 

REBUS resident backup software 

RPRV remotely piloted research vehicle 

SAS Stability augmentation system 

Introduction 

Flight control systems have undergone a 
revolution since the days of simple mechanical 
linkages; presently the most advanced systems 
are full -authority, full-time digital systems 
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controlling unstable aircraft. To allow the 
most flexibility in aerodynamic design, both 
military and commercial aviation programs are 
incorporating digital flight control systems 
in aircraft design. With the use of advanced 
control systems, the aerodynamic design can 
incorporate features that allow greater per- 
formance and fuel savings, as can be seen on 
the new Airbus design and advanced tactical 
fighter concepts. These advanced aircraft 
designs will be and are relying on the flight 
control systems to provide the stability and 
handling qualities required for safe flight 
and to allow the pilot to control the air- 
craft. As the criticality and number of 
these control systems increase, it becomes 
increasingly important to understand issues 
related to the development of a system that 
will provide maximum protection with minimum 
cost and minimum maintenance. Various design 
philosophies have been followed and proposed 
related to system architectures for these 
advanced flight control systems. 

One major area of discussion is whether a 
multichannel digital control system should be 
synchronous or asynchronous. Asynchronous sys- 
tems are propounded to provide greater protec- 
tion against lightning and electromagnetic 
compatibility interference. These systems are 
also expected to provide greater battle damage 
protection. Synchronous systems are said to be 
more reliable and to provide lower design and 
test costs. A majority of the digital flight 
control systems that have been flown are syn- 
chronous; only a few are asynchronous. Examples 
of synchronous digital flight control Systems 
include the F-8 digital fly-by-wire (DFBW), F-18, 
F-15 digital electronic flight control system 
(DEFCS), and forward-swept-wing X-29A. Asynchro- 
nous systems include the advanced fighter tech- 
nology integration (AFTI) F-16 and the resident 
backup software (REBUS) system, an experimental 
backup system for the F-8 DFBW aircraft. Both 
the United Kingdom and Sweden have flown asyn- 
chronous digital flight control systems as well 
as the more conventional synchronous systems. 

The Dryden Flight Research Facility of NASA's 
Ames Research Center (Ames-Dryden) has experience 
with both synchronous and asynchronous digital 
control systems on advanced high-performance air- 
craft. The first digital fly-by-wire aircraft, 
the F-8 DFBW, developed and flown at Ames-Dryden 
in the mid-1970s and still in use as a research 
vehicle, includes a triplex synchronous digital 
flight control system. The REBUS system, an 
experimental dissimilar backup system incorpor- 
ated in the F-8 DFBW primary flight control 
system, consists of three asynchronous elements. 
The highly maneuverable aircraft technology 
(HiMAT) vehicles (subscale, remotely piloted 
research vehicles (RPRV) flown at Ames-Dryden 
in the late 1970s and early 1980s) Included 



advanced aerodynamic configuration and advanced 
technological concepts (such as digital engine 
and flight control) and used synchronous and asyn- 
chronous systems combining ground and onboard com- 
puters. The AFTI/F-16 aircraft, currently flying 
at Ames-Dryden, is an F-16 airframe with a dorsal 
fairing (to house instrumentation) and vertical 
canards (for advanced flight control application) 
added; it is controlled by a triplex asynchronous 
digital flight control system. These represent 
a range of digital flight control systems, from 
very simple to highly complex. The systems have 
employed various levels of redundancy, ranging 
from one sensor to six identical sensors. 

This paper describes flight experience at 
Ames-Dryden with both synchronous and asynchronous 
digital flight control systems. The unusual 
architectures of the F-8 OFBW, HiMAT, AFTl/F-16, 
and REBUS systems are discussed and evaluated. 
Benefits and deficiencies for both types of archi- 
tectures are discussed, and any conclusions that 
can be made from the flight data are included. 

The authors would like to thank Kenneth d. 
Szalai, Robert W. Kemple, Dwain A. Deets, 

Stephen 0. Ishmael , and Capt. Mark L. Joyner 
for their previous work in this area. 

Issues of Asynchronous 

and Synchronous Systems 

The majority of digital flight control systems 
currently operating are synchronous. The systems 
are synchronized through a combination of hardware 
and software. At specific points in the software 
an instruction triggers a hardware circuit to send 
a discrete signal to other identical computers, 
called channels. Each channel receives this syn- 
chronization signal and begins to process speci- 
fied software. Thus, each channel is operating 
at the same point in the software cycle at any 
given time. If the synchronization signal is not 
received within predetermined time constraints, 
the channel transmitting the synchronization sig- 
nal is declared failed, as are all the data It 
transmits. The system can be synchronized at 
different levels, such as once each frame or at 
any subframe. Data in synchronous systems are 
passed during specific time periods, and the other 
channels expect to receive these data at the 
proper time. If the data are not received when 
expected, the transmitting channel is' declared 
failed. The synchronization period is determined 
by the digital flight control system requirements. 

Asynchronous systems operate without a syn- 
chronization signal. Even though each digital 
flight control system channel is identical, with 
the same clock rates and initialization point, 
small differences between channels occur because 
of hardware tolerances. The skew (or timing 
differences between channels) varies, and each 
channel can be operating at any point in its 
software cycle at any given time. In asynchro- 
nous systems, data are passed when available, and 
the other channels access the data when they are 
ready. The health of other channels is determined 
by data comparisons and other information from the 
other channels. 

The decision concerning whether the digital 
flight control system will be synchronous or 


asynchronous impacts the design of the control 
laws and redundancy management functions. Con- 
versely, the requirements for the redundancy 
management functions and control laws impact the 
system architecture decision. The types of input- 
output (I/O) selection and monitoring and the 
tolerance windows (the amount a signal can vary 
from other like signals and the length of time it 
can remain different before it is declared failed) 
for failure detection depend on whether the system 
is synchronous or asynchrounous. The tolerance 
windows for failure detection must be larger for 
asynchronous systems to account for skew differ- 
systems can use the synchronization signal, but 
asynchronous systems must use a different method, 
such as tolerance windows or number of output 
failures. The type of data to be transferred and 
how often they will be transferred also need to 
be considered in the system architectural design. 
The capability of a system to reset or restart can 
also Impact and be impacted by the system design. 
The control laws will rely on the system architec- 
ture in terms of the accuracy of the data they 
will be using. 

Each of the two system design concepts, 
asynchronous and synchronous, has advantages 
and disadvantages. For synchronous systems, 
advantages include ease of verification and 
validation, ease of failure detection, and 
predictability; disadvantages include reliance 
on other channels and additional software and 
hardware requirements for synchronization. For 
asynchronous systems, advantages include channel 
independence and reduced hardware; disadvantages 
include unpredictability, difficulty in verifi- 
cation and validation, and more complex soft- 
ware for failure detection. These advantages 
and disadvantages can be evaluated in terms of 
reliability, costs, and schedule delays. 

Reliability, which can be defined as the 
inverse of the number of in-flight nonnuisance 
failures, is a critical parameter in flight 
safety or mission completion and can also have 
considerable effect on cost and schedule. Cost 
and schedule can be evaluated through the devel- 
opment cycle for the digital flight control sys- 
tem, including verification and validation time 
and flight operation. Delays in the schedule 
caused by design problems discovered during pre- 
liminary testing increase the cost of the program, 
as do verification and validation testing prob- 
lems. Any problems discovered in flight during 
the flight test portion of the program, especially 
those connected to flight-critical functions, have 
considerable impact on reliability, cost, and 
schedule for the program. Any problems requiring 
extensive redesign discovered during the verifica- 
tion and validation or flight test portion of a 
program have major impacts on the program. Prob- 
lems discovered in the operational environment 
have a major Impact on the cost of the system, 
often causing the aircraft to be grounded until 
the problem is fixed. However, operational prob- 
lems are not discussed in this paper, because the 
experience at Ames-Dryden is with experimental 
aircraft, not operational aircraft. 

Aircraft Systems Descriptions 

Short descriptions of the F-8 DFBW, REBUS, 
HIMAT, and AFTI/F-16 flight control systems are 
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presented to provide a background for the results 
and conclusions. The F-8 DFBW, REBUS, and AFTI/ 
F-16 digital flight control systems are described 
In more detail In Refs. 1 to 4. A detailed des- 
cription of the H1HAT system is to be Included 
In a NASA report, "Flight Control Systems Devel- 
opment and Flight Test Experience With the HiMAT 
Vehicles," by Robert W. Kempel and Michael R. 

Earls (In preparation). The effects of the 
system's architecture (synchronous or asynchro- 
nous) are Included with the descriptions to pro- 
vide a greater understanding of the test results 
and thus the evaluation of the two architectures. 
The software cycle, frame time, and control law 
complexity are described. Other major elements 
of the digital flight control system, such as I/O 
selection and monitoring, self-test capability, 
reset-restart capability, and control law modes, 
are also described. 

F-8 DFBW 

An F-8 aircraft (Fig. 1) was modified to 
include a fall-operate, fall-safe, fly-by-wire 
flight control system that consists of a full- 
authorlty, triplex, frame-synchronized digital 
system with a triplex analog computer bypass 
system (CBS) as backup. The flight control sys- 
tem (Fig. 2) encompasses triply redundant Input 
motion sensors and controllers, triple Interface 
units, cockpit controls and displays, and sec- 
ondary actuators. The flight control computers 
operate the basic loop in 20 msec. The input 
and output signals for this synchronous system 
are processed through the Interface units (one 
for each digital channel). The channels do not 
transfer data directly to the other channels, 
which avoids timing problems associated with 
transmitting and receiving data simultaneously. 

The interface units provide signal conditioning 
and buffer memory for all Input data, process 
output signals, provide Interchannel communica- 
tion, and participate in the failure detection 
and redundancy management functions. The buffer 
memory In the Interface units consists of data 
from each channel , one buffer per channel per 
Interface unit, which allows each computer to 
have access to the other channels' data. The 
synchronous operation of the system assures that 
each channel Is operating on the same data at the 
same time. The pilot control panels allow the 
pilot to select control modes for each axis and to 
select autopilot capabilities, while the display 
panels annunciate system status and failure Infor- 
mation. The CBS provides actuator controls for 
backup control, selection logic, and output fail- 
ure detection and provides an analog link from 
the pilot controls. The secondary actuators on 
the F-8 DFBW aircraft are triply redundant and 
contain three independent electrohydraul 1c chan- 
nels with Independent hydraulic fluid, differen- 
tial pressure sensors, and linear variable dif- 
ferential transducer (LVDT) position sensing. 

The F-8 DFBW aircraft does not require a 
complicated control system for stability augmen- 
tation, but for experimental purposes, pitch and 
lateral-directional stability augmentation system 
(SAS) modes were developed. The pitch axis mode 
also includes a more complicated control augmen- 
tation system (CAS) mode. A direct mode, which 
duplicates the unaugmented F-8 system for pitch. 


is also provided, as well as an autopilot for 
altitude hold, Mach hold, and heading and turn 
control. The inner-loop control law functions 
are computed at a 20-msec frame rate, while 
gain updating and autopilot functions operate 
at a rate of 80 msec per frame. The pitch CAS 
and the lateral-directional SAS contain sched- 
uled rate gain and accelerometer feedbacks 
with forward-loop integrators. The control 
laws were designed to be complicated enough 
to investigate the interactions between the 
control laws and the redundancy management 
functions In a synchronous system. 

The redundancy management and fault detection 
portion of the F-8 DFBW software selects the mid- 
value of three good sensors or the average of two 
good sensors after a Single failure. If two like 
sensors have failed, a default value Is used, and 
the function or mode requiring the failed-sensor 
Information Is inhibited, resulting In the loss 
of capability or mode, this function 1s performed 
on all vital Input sensors, such as motion sensors 
and control Inputs. The CBS monitors output com- 
mands using a midvalue selection technique and 
also compares the midvalue to the channels' actual 
values. If a failure is detected in the output, 
the analog channel Is switched in to replace the 
failed digital channel. A second failure of a 
digital channel transfers all channels to the 
analog system. As a synchronous system, the F-8 
DFBW computer system uses Its sync discrete and 
the channel's data transfer capabilities, the 
data transmitted at the correct time, to verify 
the health of the digital channel. A self-test 
capability Is Included In the system to allow 
the computers to determine their own health and 
status. An automatic restart capability is 
Included In the system design to Initialize the 
channels at Initial power up and in the event of 
powalr disruptions, crosslink failures, or self- 
test failure detection. 

REBUS 

An experimental dissimilar backup system, 

REBUS (Fig, 3), was incorporated Into the F-8 
DFBW system to Investigate the concept of dis- 
similar software as backup for the primary sys- 
tem. To Include software dissimilar from the 
synchronous F-8 DFBW system, the REBUS system 
Is asynchronous, operating at a 2D-msec frame 
rate. Each of the triplex REBUS channels 
operates on dedicated sensors, with the channel- 
sensor unit Independent of the operation of the 
other units to avoid asynchronous data cross- 
strapping problems; each channel operates on 
slightly different Input due to computer skew. 

The control laws provide minimal augmentation, 
little more than the capability to return to 
base and safely land. Three-axis fixed-gain 
rate damping with some nonlinear stick shaping 
and deadbands comprise the control law design. 

The REBUS system does modify the gains for 
landing and approach, but the up-and-away gains 
are constant throughout the flight envelope. 
Transfer to the REBUS system from the primary 
system occurs as a result of channel failures. 

The REBUS software is initialized using a full 
complement of sensor inputs and existing control 
surface commands. 
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Hi HAT 

The HiHAT vehicles were air launched from a 
B-52 aircraft and remotely controlled by a pilot 
located In a ground cockpit (Fig. 4). The primary 
control laws were resident in a ground-based com- 
puter with the backup control system Included In 
the onboard backup computer. The onboard com- 
puters operated asynchronously with the ground 
system and each other. The backup system could 
be controlled from either the ground or a TF-104 
chase aircraft. 

The advanced concepts Included in the HIMAT 
experiment were composite and metallic structures, 
close-coupled canards, aeroelastic tailoring, 
digital integrated propulsion control system 
(IPCS), relaxed static stability, and ground 
and airborne digital fly-by-wire controls. The 
design maneuverability goal, a sustained 8-g turn 
at Mach 0.9 and an altitude of 25,000 ft, was 
achieved during flight test along with sustained 
supersonic flight. Dual onboard computers, 
operating asynchronously, provided the inter- 
faces with the ground and various vehicle sub- 
systems, and each provided independent capability 
for a safe return. The system also Included dual 
electrical, hydraulic, and flight control systems 
(designated as primary control system and backup 
control system) as well as triplex angular rate 
sensors for all three axes, triplex lateral and 
normal accelerometers, and duplex air data sensors 
(Fig. 6). A single sensor of each variety was 
designated as backup sensor, and only it was used 
by the backup control system; the primary system 
used all the sensors. The servo actuators were 
interfaced to the onboard computers through a 
servo actuator electronics box, which translated 
the servo commands, fed back the actuator data, 
and provided failure detection for the elevon 
servo actuator system. 

The HiHAT vehicles were tested in two con- 
figurations, one with relaxed static stability 
and one with positive stability margins. The 
stable configuration control laws were full- 
authority rate-damper systems. The control 
system included a launch mode to assure separa- 
tion from the carrier aircraft and a degraded 
primary mode, which was selectable by the ground 
pilot and allowed the pilot to maintain conven- 
tional control for conditions such as loss of 
power in an engine-out situation. The pilot was 
given the option of choosing the degraded primary 
mode or the backup control system. 

The backup control system for the stable 
aircraft contained a variety of automatic modes to 
ensure recovery of the HiHAT vehicle from unusual 
or extreme conditions and to provide a safe return 
capability. The backup control system was also 
capable of orbiting at a specified altitude when 
there was a loss of uplink or downlink signal. 

The backup control system was a multi rate system 
operating at 10-, 20-, and 100-msec frame rates. 
The onboard computer system also provided total 
control of the HIMAT engine with the primary IPC.S 
resident in the backup computer and the backup . 
IPCS'i included in the primary computer. The IPCS 
included a norma) operation mode, a combat mode, 
and a high-stability mode. 


In the relaxed-stability operation, a fixed- 
gain pitch rate feedback loop was included in the 
onboard primary control system to reduce excessive 
system time delays. As in the stable condition, 
the primary control system included a launch mode 
and a degraded primary mode. The backup control 
system for the relaxed-stability operation con- 
tained seven modes (listed in Table 1) and was 
a full -authority, three-axis, multirate system. 

The backup control system was always initialized 
through the recovery mode, which brought the air- 
craft to a straight-and-level flight condition. 
Once the HIMAT vehicle was in a straight-and- 
level flight condition, the backup control sys- 
tem would transition to heading hold mode and 
altitude hold mode. If no other command was 
received by the heading hold mode or altitude 
hold mode within 26 sec, the backup control sys- 
tem would transition to the orbit mode. Airspeed 
hold mode and landing mode were also included in 
the backup control system. 

The asynchronous interactions of the airborne 
system with the ground system and the ground rule 
that no single failure would result in loss of 
the vehicle resulted in a complex design for the 
HIMAT flight systems management functions. Data 
transfer was minimized by allowing each computer 
to operate Independent functions that required 
little or no data exchange. The faults detected 
by the onboard computer system Included those that 
caused automatic transfer to backup mode, those 
that prevented automatic transfer to backup mode, 
those that indicated mission abort conditions, 
and those that indicated caution conditions. The 
onboard computer fault detection included actuator 
monito'ing, hydraulic system monitoring, electri- 
cal system monitoring, uplink system monitoring, 
downlink system monitoring, and computer seif-test 
diagnostics operating in the primary computer. 

The uplink system monitoring and computer self- 
test diagnostics were duplicated as independent 
functions in the backup computer. The ground 
failure detection and management for the single- 
string ground system included downlink integrity 
testing, uplink integrity testing, real-time loop 
integrity testing, computer heartbeat monitoring, 
stick input checks, I/O testing, air data testing, 
and angle-of-attack testing. 

AFTI/F-16 

The F-16 airframe is statically unstable in 
the pitch axis, necessitating a full-time, full- 
authority fight control system. The AFTl/F-16 
aircraft (Fig. 6) was developed with a triplex, 
asynchronous flight control system. Goals of 
this system Included dual-fail operate capability 
and the development of advanced control modes for 
decoupled motion. The flight control system 
consists of three computers, an actuator inter- 
face unit, integrated servo actuators, a flight 
control panel, and associated sensors, control- 
lers, and pilot displays (Fig. 7). The system 
also Includes a limited triplex analog inde- 
pendent backup unit. The asynchronous flight 
.control computers are identical and operate 
at a frame rate of approximately 16 msec, with 
some functions operating at about 31 and 2S msec. 
The primary sensors (pitch rate gyros, roll rate 
gyros, and yaw rate gyros) are triply redundant. 



Th«! primary controllers (pitch stick, roll stick, 
and rudder pedals) operate on three active and 
one backup transducer. An additional triply 
redundant controller was added to the throttle 
(a<; a throttle twist grip) to provide decoupled 
pitch control. The primary pilot-vehicle inter- 
face consists of two multipurpose displays that 
provide dual -redundant digital flight control 
system mode and control status as well as weapons 
management. The integrated servo actuators con- 
tain three electrohydraul ic valves operating with 
two independent hydraulic fluid sources, differ- 
ential pressure sensing, and LVDT position feed- 
back sensors. 

The AFTl/F-16 system contains eight complex 
modes (Table 2) with multiple submodes controlled 
by internal switching within the primary modes. 
These submode switches. in combination with the 
asynchronous operation of the system generated 
difficulties in both ground and flight test. 
Because of the static instability of the pitch 
axis, all the longitudinal modes require pitch 
feedback, in cruise conditions as well as takeoff 
and landing. The standard normal mode is used for 
takeoff and landing as well as cruise and is the 
primary digital mode for all failure conditions. 
Within this standard normal mode are conditions 
that allow the control laws to reconfigure for 
sensor and controller failures, which were never 
flight tested, as well as for landing and takeoff 
conditions. Along with the primary standard normal 
mode, three other standard modes are Implemented 
to provide task-tailored control, air-to-air gun 
mode, air-to-surface gun mode, and air-to-surface 
bomb mode. Each of these modes, including the 
standard normal mode, have decoupled counterparts 
that can be selected through a switch on the side- 
stick controller. These modes, with the exception 
of the no-fail condition of the standard normal 
mode, contain multiple conditions for submode 
switching. The various modes and their command 
options are shown in Table 2. The decoupled modes 
allow independent control of specific aerodynamic 
parameters, such as angle of attack, angle of 
sideslip, pitch attitude, and yaw attitude, as 
shown in Fig. 8. 

To deal with the asynchronous interactions and 
the dual-fail operate goal using a triplex system, 
the redundancy management software design for the 
AFTl/F-16 flight control system is as complex as 
the control law design. Software input voting 
for the redundant sensors, output voting for 
actuator commands and status, health checking 
of computer hardware, and preflight systems 
monitoring are the major elements of the fail- 
ure management system. The input sensors, 
controllers, and discretes are hardwired into 
each computer channel and then digitally trans- 
mitted between each asynchronous channel. The 
channels then independently select the appro- 
priate input by averaging the nonfailed like 
sensors. The output commands for all surfaces 
are transmitted to each channel and selected, 
much like the input sensor signals. Unlike the 
input sensor algorithm, the output command selec- 
tion chooses a single channel's output as deter- 
mined by internal logic. This output selection 
method was developed to maintain reasonable trip 
levels in the asynchronous system with reduced 
nuisance failures at the actuator level. Output 


command failures are used to Identify a failed 
computer; two surface command failures in a given 
channel indicate a defective channel, and all sur- 
face commands are assumed failed in that channel. 

A detected failure is reported to the failure 
manager, which then takes the appropriate action. 
The preflight monitoring uses both passive and 
active testing to determine the status of the 
flight control computers, actuators, various 
input sensors and controllers, and the analog 
backup system. A reset capability is included 
to allow the processor to reset a transient 
failure or for nuisance failures caused by asyn- 
chronous data transfer in any of the flight con- 
trol system input sensors, controllers, actuators, 
or processors. An independent I/O capability is 
included in the redundancy management design of 
the AFTI/F-16 flight control system to allow the 
loss of only the processor, not the I/O infor- 
mation, in the event of a digital channel failure. 
The transition to the analog independent backup 
unit occurs only if the system cannot determine 
which of the two remaining channels is good after 
an output failure or self-test failure detection. 

Test Experience 

All the flight control systems described in 
this paper experienced extensive verification 
and validation and ground testing prior to being 
flight tested. In this section, the results 
of testing for each flight control system (after 
the elimination of coding errors, which are not 
discussed here) are compared and evaluated against 
the criteria discussed previously: reliability, 

costs, and schedule delays. The results of for- 
mal verification and validation testing, on- 
aircraft ground testing, and flight testing are 
included. Short descriptions of the actual 
testing are included as background to the test 
results themselves. 

F-8 DFBW 

As a new and untried experiment, the F-8 DFBW 
flight control system went through extensive anal- 
ysis (described in detail in Ref. 1) before and 
during the design process in order to validate the 
design: this level of analysis greatly facilitated 
the testing. The actual system testing was broken 
into two areas, subsystem testing and integrated 
system testing, both of which included breadboard, 
iron bird, and flight testing. The verification 
and validation testing consisted of independent 
system testing, stress testing, and failure modes 
and effects testing. The majority of the indepen- 
dent system testing for the F-8 DFBW design at 
Ames-Dryden was done on the iron bird and covered 
control laws, executive, computer I/O, computer 
redundancy management, sensor redundancy manage- 
ment, in-flight self-test, preflight test, 
displays and controls, primary-bypass system 
transfer laws, and downlink system. Because 
the synchronization was critical to the system 
operation, extensive synchronization testing 
was done, including tests of the time required 
for all channels to acquire sync and tests of 
skew between channels as they exited the sync 
routine. Occasionally during early testing, 
a channel sporadically lost sync, or all three 
channels failed to achieve sync upon power up; 
consequently, the software was modified. The 
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failures were due to synchronization being sched- 
uled at a point that was subject to timing varia- 
tions. The skew measurements indicated that a 
value of less then 10 usee was typical. Another 
anomaly discovered during the early stages of 
testing was a failure of the system to downmode 
to the computer bypass system after a dual failure 
of the input data line. The early detection of 
these anomalies minimized their Impact on costs 
and schedule. 

The next level of testing involved stress 
testing, a sequence of operations often not con- 
sidered in the design phase and one that exposes 
problems not readily apparent in previous tests. 
The majority of the problems found by stress test- 
ing were related to the restart recovery process 
of the r-8 DFBW system. The anomalies discovered 
through stress testing had a greater impapt on 
cost and schedule than those discovered during 
independent system tests, but they were discovered 
early enough in the cycle to minimize the Impact. 
The minor anomalies from the piloted failure modes 
and effects testing (such as the slow detection 
of open failures of stick and rudder inputs and 
runaway rudder trim) had little Impact on both 
costs and schedule. A11 the software errors dis- 
covered during the verification and validation 
testing were corrected and retested satisfactorily 
prior to the on-aircraft ground testing. Table 3 
summarizes the anomalies discovered during verifi- 
cation and validation testing and their Impact on 
costs and schedule. 

Frequent channel failures were caused by com- 
puter hardware problems during the on-aircraft 
integration test and continued for the duration 
of the program. The flight test results for the 
program were excellent, with very few problems. 
Anomalies discovered during flight test included 
three single-channel hard failures due to hardware 
faults and one transient channel fault. No soft- 
ware anomalies were discovered in flight, but 
several were discovered in either ground operation 
or postflight analysis of the F-8 DFBW flight test 
data. None of the errors discovered invalidated 
the fail-operate requirements of the digital 
flight control system, and no nuisance faults, 
aside from hardware-related problems, occurred. 

The software anomalies detected in the approxi- 
mately 1750 hr of flight time and postflight 
analysis are shown in Table 3 along with their 
impact on costs and schedule. Testing on the 
F-8 DFBW, both prior to and during flight test, 
did not reveal a large number of anomalies. Indi- 
cating high software reliability and low cost and 
schedule impacts. 

KEBUS 

In both ground and flight testing of the 
REBUS system, no anomalies occurred. Prior to 
flight, an evaluation of the transient response 
of the aircraft on reversion to REBUS was made; 
no transients were considered to be severe, which 
was verified in flight. The two pilots who eval- 
uated REBUS felt that it was acceptable for emer- 
gency operations and that it was an improvement 
on the computer bypass mode. Table 4 summarizes 
the Impacts on reliability, costs, and schedule 
of the REBUS flight control system. 


Hi HAT 

The HiMAT flight control system went through 
several levels of tests (to be described in detail 
in the Kempel and Earls report, in preparation) 
to qualify the system for flight. Each sub- 
system, each subsystem Interface, and the 
integrated system were tested utilizing test 
configurations that varied from an all -software 
simulation to an iron bird simulation. The iron 
bird simulation Included all the actual hardware 
and software used during a flight and the HiMAT 
vehicle. The testing included verification and 
validation (consisting of subsystem functional 
tests, failure modes and effects tests, and time 
delay tests), on-aircraft ground tests (consisting 
of -closed- loop control system tests, limit cycle 
tests, ground resonance tests, and preflight 
tests), and flight test. 

Problems in both hardware and software were 
revealed during the testing. Two major anom- 
alies were discovered during the on-aircraft 
ground testing: First, asynchronous operation 

in combination with the high data rate from the 
ground-based uplink caused a failure of the 
onboard computer. The onboard computer spent 
too much time servicing the uplink and did not 
accomplish other critical tasks. Second, hard 
failures in the uplink system were interpreted 
as Intermittent failures by the onboard com- 
puters because the persistence counter was being 
Incremented after the maximum persistence count 
had been reached. The counter in the onboard 
computer would eventually wrap around, and the 
failure would be reset to be declared failed 
again when the counter reached the maximum per- 
sistence count again. Both of these anomalies 
were corrected prior to flight test, the first 
through a hardware modification and the second 
through a software modification. Both anomalies 
were discovered after verification and validation 
but prior to flight test, thus requiring time to 
modify and retest. 

Flight test of the HiMAT system revealed 
three anomalies, one with major impact to the 
program. Transient failures occurring in flight 
would reset faster than could be detected by the 
monitoring engineer. A latch was added on the 
ground to keep the transient failures displayed 
long enough for the failure to be detected by 
the responsible engineer. Another minor anomaly 
involved round-off errors in the onboard computer; 
the pilot had to advance the throttle past the 
minimum afterburner position to get the after- 
burner to light. A software change was imple- 
mented in the onboard computer, allowing normal 
operation of the throttle. Both of these anom- 
alies were nuisance problems and did not prevent 
operation of the system. However, a timing prob- 
lem was discovered in flight that resulted in a 
gear-up landing, having major Impact on the pro- 
ject. One of the uplink decoders failed, and the 
onboard computer would not accept the automatic 
sequence of commands required to lower the landing 
gear. This failure condition was caused by the 
change in filtering applied to the uplink signals 
when that decoder failed. If the other decoder 
had been the one to fail, the filtering would not 
have been affected, and the problem could possibly 
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have Qone undet6Ct6d* Agfiin, thG onboard computGr 
software was changed to correct the problem. 

The majority of these anomalies discovered 
during testing were related to the interfaces 
between different components of the asynchronous 
system,, These types of problems can be detected 
only in an integrated environment that exercises 
the system in the same way it will be used during 
flight,, Table 5 summarizes the HiMAT anomalies 
and their impact on reliability, costs, and sched- 
ule delays. 

AFTI/F-16 

The AFTI/F-16 system began verification and 
validation testing prior to completion of the 
software integration and debug stage; however, 
testing did not officially begin until all the 
coding errors in the system had been tested and 
corrected. Early in the testing process it was 
discovered that the high-gain control laws were 
interacting adversely with the redundancy man- 
agement software. This interaction magnified 
the differences in input values resulting from 
asynchronous skew to create output and channel 
failure. After the gains were reduced, output 
and channel failures still occurred. The gain 
magnification of input differences exceeded 
the output tolerance during dynamic maneuvers, 
resulting in the addition of a rate-of-change 
factor to adjust the output tolerance. Both 
conditions were discovered prior to the actual 
verification and validation and had minor Impacts 
on both costs and schedule. Major anomalies 
discovered during the verification and valida- 
tion testing .included air data and bus conten- 
tior. anomalies. An undetected bias failure in 
air data below the 15-percent trip level would 
cause channel failures; a bus controller conten- 
tion problem could cause loss of the digital 
flight control system. Both anomalies required 
software modifications but were discovered early 
enough in the project development to have only 
moderate effects on costs and schedule. 

Greater costs and schedule delays were 
incurred from the results of the ground gunfire 
tests. The vibration in the lateral accelera- 
tions and yaw rate from the gun firing caused 
output and channel failures because of the high- 
gain magnification. The time required to modify 
and retest the software prior to flight test 
generated a delay in the schedule. Flight test 
results of the AFTI/F-16 system included nine 
flight control system failures in 177.2 flight 
hours. All these failures resulted in either 
an interruption of the mission, with some points 
not flown, or a return and land requirement. 

Seven of the in-flight errors were the result 
of asynchronous skew effects on submode switching; 
each channel would trigger a change in a submode 
switch at different times, resulting in output 
failures and channel failures. Several of the 
failure conditions delayed the next flight by 
one or more days and reduced the allowable flight 
envelope or eliminated a mode. Two of the in- 
flight failures were transient failures that 
could not be duplicated and did not reoccur; con- 
siderable engineering time was lost in the dupli- 
cation attempt. Another in-flight failure was the 
result of an avionics failure, not a failure of 


the flight control system. The avionics system 
failure induced random mode changes in the flight 
control system at very high rates; consequently, 
the flight was discontinued, and the aircraft 
returned and landed, A software modification was 
made to the digital flight control system (rather 
than to the avionics) to prevent a reoccurrence 
because the failure could not be duplicated and 
did not reoccur. One major result of the first 
phase of the AFTI/F-16 program was that through- 
out the flight test program no failure caused a 
reversion to the independent backup mode. The 
failures discovered during the testing of the 
AFTI/F-16 system are summarized in Table 6 along 
with their Impact on the software reliability, 
costs, and schedule. 

Digital Flight Control Systems Evaluation 

All four aircraft completed successful flight 
test programs with the number of anomalies occur- 
ring varying from one program to another. The 
four digital flight control systems, F-8 DFBW, 
REBUS, HiMAT, and AFTI/F-16, are evaluated in 
relationship to software reliability, increased 
costs, and schedule delays. Software reliability 
defined as the inverse of the number of in-flight 
nonnuisance failures, was high on all the flight 
control systems, and all systems were proven safe 
throughout their flight envelopes. The F-8 DFBW 
aircraft experienced no software-related problems 
in flight, though some were discovered in post- 
flight analysis. The REBUS system exhibited no 
anomalies during ground or flight test. The 
HIMAT system had one major in-flight anomaly, 
which resulted in a gear-up landing on the lake- 
bed, and two minor anomalies. The AFTI/F-16 
aircraft experienced nine in-flight anomalies, 
during the first phase of the program. In terms 
of reliability, the two highly complex, asyn- 
chronous systems, the HIMAT and AFTl/F-16, had 
the most in-flight anomalies. 

Seven of the nine AFTI/F-16 anomalies were 
due to a combination of asynchronous operation, 
complex control laws, and complex redundancy 
management design. These problems were related 
to the procedure of crosslinking data between 
channels and then using a good-channel average; 
the skew between channels was often just suf- 
ficient to cause the channels to use inputs dif- 
fering enough that output failures or channel 
failures, or both, resulted. The asynchronous 
operation of the AFTI/F-16 system increased the 
complexity of its flight control system. The 
design of the REBUS system intentionally avoided 
many of the problems associated with the asynchro 
nous effect on crossl inked data. The REBUS sys- 
tem was able to avoid these effects by not cross- 
linking any data and allowing each channel to 
operate independently on independent inputs, with 
the commands evaluated in the actuators instead 
of in the flight control software. The REBUS was 
also developed as a simple system to remove extra 
complexity that could adversely affect the asyn- 
chronous operation. The synchronous operation 
of the F-8 DFBW flight control system assured 
that each channel operated on the same data at 
the same time, therefore output failures due to 
data crosslinking and skew conditions could not 
occur. The HIMAT system's major in-flight anom- 
aly was due to a timing problem when the uplink 
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decoder failed. The complexity of the AFTI/F-16 
and HiHAT systems made it difficult to predict and 
test all the conditions prior to flight. Two 
assessments that can be made from these results 
are that complexity is a major factor in flight 
control system software reliability and that syn- 
chronization and asynchronization do not, by them- 
selves, determine reliability. 

Increased costs and schedule delays (related 
in that schedule delays increase the cost of a 
system) were encountered by all the systems to 
differing degrees. The AFTI/F-16 testing did 
not originally allow variation of skew condi- 
tions nor were the skew conditions measured 
during the early tests. Consequently, there 
was no method for determining or setting the 
exact test condition, which varied from one 
test point to another. Additional testing was 
then required to repeat and correct anomalies, 
incurring schedule delays and increased costs. 

As the program progressed and several anomalies 
occurred in flight, the capability of adjusting 
the skew conditions was included into the test 
facility for the AFTI/F-16 system. A related 
factor involved in the schedule delays and 
increased costs was the difficulty with the 
asynchronous operation in determining which 
skew conditions were actually worst case for 
which flight conditions. The AFTI/F-16 system, 
with its complicated gain structure, had varying 
gains at each flight condition, which presented 
difficulties in determining worst-case conditions. 
Skew effects were evaluated early to determine 
the tolerance values, not to determine worst-case 
skew at different flight conditions and different 
modes. The very large matrix that would need to 
be evaluated discouraged the evaluation. The dif- 
ficulty connected with worst-case skew prediction 
resulted in continuously repeating a test condi- 
tion until the anomaly reoccurred. With a simpler 
system, a thorough evaluation of different skew 
conditions would have been possible, allowing 
the elimination of problems early in the design 
process, thus reducing schedule delays and cost 
increases. The REBUS program avoided these dif- 
ficulties by using a simple system. The skew on 
the REBUS system was monitored, and the results 
of both flight and ground tests indicated very 
little variation, which when combined with the 
simple design resulted in no difficulties with 
the asynchronous system. The F-8 DFBW flight 
control system testing was fairly straight- 
forward, with an easily defined test matrix. 

The test matrix did not need to be expanded to 
account for different skew conditions. Some 
design problems were addressed early in the 
F-8 DFBW flight control system verification 
and validation stage, but they had minimal 
impact on both cost and schedule. The syn- 
chronization of the computers for the system 
created some difficulties, but once the timing 
problems were corrected, no further anomalies 
arose. One inference is that asynchronous 
systems need to be simple to avoid increased 
testing and protect against in-flight anomalies. 

Another factor to be considered in minimizing 
schedule delays and cost increases is the system 
development of the digital flight control system 
as an Integrated system. The F-8 DFBW and H1HAT 
systems were developed as integrated systems; 


all the Interfaces were developed along with the 
flight control system. With this integrated 
design, the problems associated with Interfaces 
and interactions were greatly reduced. This is 
reflected in the low anomaly rate during flight 
and ground tests of these systems. The AFTI/F-16 
flight control system was developed separately 
from many of its interfaces, and consequently, 
the testing process revealed a number of anom- 
alies that resulted from the interactions between 
systems. The integration-related anomalies con- 
tinued through ground test, as evidenced by the 
ground gunfire failures, and in flight, as in 
the multiple-mode switching anomaly. While the 
asynchronous operation of the AFTI/F-16 system 
impacted these anomalies, the integrated environ- 
ment had a larger effect. The Integrated design 
process was especially helpful for the HiMAT 
vehicle. A tightly knit group of people devel- 
oped the HIMAT systems together, which allowed 
close communication and problem resolution early 
in the development cycle. The HiMAT systems 
were viewed as a large system with many sub- 
systems, and an effort was made to Insure that 
all the interfaces were properly integrated. 

The early integration in an environment that 
exercised the system in the same way as it would 
be in flight allowed the resolution of anomalies 
prior to flight and minimized schedule delays and 
cost increases. 

Concluding Remarks 

The AFTI/F-16 system was very complex in its 
control laws and redundancy management design. 

Its asynchronous operation coupled with a goal 
of dual-fail operate for a triplex system and the 
multimoded, complicated control structure resulted 
in a series of both in-flight and ground test 
anomalies. The HiMAT system, also complex, was 
tested in an integrated environment that closely 
simulated the flight environment, thus allowing 
early detection of potential problems and mini- 
mizing in-flight anomalies. The REBUS system 
had a very simple control structure and limited 
the data crosslink to avoid problems associated 
with asynchronous operation. The F-8 DFBW system, 
while not extremely complex, had sufficient com- 
plications to show that for some situations a 
synchronous system may be better for complex 
systems. As an integrated design, the F-8 DFBW 
system avoided problems that could have occurred 
and resulted in a highly successful and relatively 
trouble-free test program. 

The evaluation of the F-8 DFBW, REBUS, HiMAT, 
and AFTI/F-16 flight control systems lead to some 
interesting conclusions: 

1. The asynchronous or synchronous operation 
of the systems was not in itself a determining 
factor in the number of anomalies and difficulties 
encountered during testing. 

2. The complexity of the system can cause 
major Impacts in terms of anomalies during both 
ground and flight testing. 

3. A simple asynchronous system without 
a complicated data crosslink structure may be 
easier to develop than a synchronous system of 
the same magnitude. 



4, A system designed as an integrated sys- 
tem, including all interactions and interfaces, 
has a reduced level of difficulties in testing 
and operation. 
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Table 1 HiMAT backup flight control system modes 
and functional characteristics 


Mode 

Mode function 

Recovery 

Backup control system Initialized In this mode 
Brings the vehicle to level flight (h = 0 ft/min) 

Orbit 

Orbit mode will be entered at expiration of 25-sec 
timer following transfer to backup control system 
(unless exit orbit has been selected) 

Vehicle will climb to one of three orbit altitudes 
or dive to 25,000 ft if backup control system 
is entered above this altitude 
Orbit altitudes are 25,000 ft, 10,000 ft, and 5000 ft 

Straight and level 

Altitude, quasi-heading, and speed or Mach hold 

Turn 1 

Attitude command roll rate 
Roll rate command roll rate 

Turn 2 

All climbs at 100 ft/sec 

Dives above 10,000 ft at 100 ft/sec 

Dives below 10,000 ft at 60 ft/sec 

Land 

Scheduled airspeed and altitude rate command as a 
function of radar altitude 
Pilot is able to modulate airspeed and altitude 
rate within limits; minimum airspeed is 185 knots 
Alternative land mode provided in the event of 
radar altimeter failure 

Engine-out glide 
and flare 

Commanded airspeed of 215 knots with modulation 
capability 

Flare initiated at 550 ft radar altitude with 
eleven control transfers from airspeed command 
to altitude rate command 


9 


Table 2 AFTI/F-16 system nwdes and command options 





Control ler 


Mode 

Pitch stick 

Roll 

stick 

Rudder pedal 

Throttle twist 




Command option 


standard normal 

Normal acceleration 

Roll 

rate 

Rudder deflection 

None 

Standard air-to-surface 

Normal acceleration 

Roll 

rate 

Flat turn 

None 

bombing 

Standard air-to-surface 

Pitch rate 

Roll 

rate 

Flat turn 

None 

gun 

Standard air-to-air gun 

Pitch rate 

Roll 

rate 

Flat turn 

None 

Decoupled normal 

Flightpath maneuver 
enhancement 

Roll 

rate 

Translation 

Translation 

Decoupled air-to-surface 
bombing 

Flightpath maneuver 
enhancement 

Roll 

rate 

Flat turn 

Direct lift 

Decoupled air-to-surface 
gun 

Pitch rate maneuver 
enhancement 

Roll 

rate 

Pointing 

Pointing 

Decoupled air-to-air gun 

Pitch rate maneuver 
enhancement and 
flightpath maneu- 
ver enhancement 

Roll 

rate 

Poi nting 

Pointing 


Table 3 Major F-8 DFBW system test anomalies 


Test type 

Anomalies 

Impact 


Reliability 

Costs 

Schedule 

Verification and 

Continued operation for some 


Low 

Low 

validation 

sync faults 

No CBS downmode for dual Input 

... 

Low 

Low 


data line failure 
Software problem in power 


Low 

Low 

Ground test and 

recovery process 
Sensor fault logic errors 


Moderate 

Moderate 

operation 

Incorrect Internal interrupt 

... 

Moderate 

Moderate 

Flight test 

handling 

None 

Positive 

None 

None 

Analysis of ground and 

Fault detection logic design error 

Moderately negative 

Moderate 

Moderate 

flight test data 

Fault recovery logic deficiency 

Moderately negative 

Moderate 

Moderate 


Table 4 REBUS system test results 


Test type 

Anomalies 


Impact 


Reliability 

Costs 

Schedule 



Verification and validation 

Minor 

... 

Low 

Low 

Ground test and operation 

None 

— 

None 

None 

Flight test 

None 

Positive 

None 

None 
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Verification and Output and channel failures due 

validation to high gains 

Low output tolerances In dynamic 
maneuvers 

Channel failure due to air data bias 
Bus contention caused. channel failure 

Ground test and operation Output and channel failure during 

gunfire test 

Right test Leading edge flap output command 

failure 

Channel failure due to three output 
command failures in one channel 
Left and right canard output failures 
Dual channel failure due to dual 
output command failure 
Left and right flaperon output 
command failures 

Left and right canard output failures 
Channel failure due to three output 
command failures in one channel 
Multiple-mode switching due to 
avionics fault 


- — 

Low 

Low 

— • 

Low 

Low 



Low 

Low 

— 

Low 

Low 

--- 

Moderate 

Moderate 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 

Highly negative 

High 

High 
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Fig. 1 F-S DFBW aircraft. 






Position 

sensors 


Center 

stick 


Primary 

digital 

computers 


Interlace 

units 


Computer 

bypass 

system 




Aircraft 

motion 

sensors 

, 

1 



Midvalue 

select 

voter 


Secondary 

actuator 


nm« 

Uj 
/ 


Servo 

electronics 


-Bypass and servo electronics 


Power 

actuator 




Control 

surface 


Fig. 2 F-8 DFBW flight control system. 
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Fig. S HiNAT airborne aomputer-airoraft ayatema interface diagram. 



ECN 20425 

Fig. 6 AFTI/F-ie aircraft. 
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Fig. 7 AS7I/F-16 flight oontrot ayatem. 
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(a) Vertical translation: oertieal veloc- (d) Lateral translation; lateral velocity 

ity control at constant pitch attitude. control at constant yaw attitude. 



(b) Direct lift; vertical flightpath con- (e) Direct sideforoe: directional flight- 

trol at constant angle of attack. path control at zero sideslip angle,- 



(o) Pitch pointing: pitch attitude control <f) Jaw pointing; directional attitude 

at constant flightpath angle. control at constant flightpath angle. 

Fig. a AFTI/F-26 decoupled control. 
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